What are the dangers of Facebook cloaking? Is it simply a case of someone being capable of seeing information that the user wouldn't necessarily want them to see, or are there more devious attacks that the method will expose?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
There are two common types of Facebook cloaking. The first is used for potentially illicit search engine optimizing. The second is the more current version that was reported by Technology Review regarding how to make it difficult to be unfriended on Facebook. Facebook responded to the Technology Review report within 48 hours by deploying a modification to its user interface. So, while this may have been an issue, it has been resolved for now.
That second method of cloaking involved deactivating a Facebook account so that users could not remove the account from their "friends" list. This attack required a user to accept an account's friend request before the cloaker could then deactivate the account. At the time of the research, users couldn't unfriend deactivated accounts. This meant that an attacker could enable an account to download all of the content on a user's profile, then disable their account again before someone unfriended them.
Given that many users publish their Facebook updates as public and that few users ever clean up their friends list, it seems that just a few users could have been targeted by a Facebook cloaking attack. This was an important issue that needed a quick resolution because users should be able to remove accounts from their friends list regardless of the status of an account. That said, given Facebook's popularity, it's likely that attackers will continue to find and exploit similar flaws.
The bottom line is that this incident is just the latest wake-up call to remind users that constant vigilance is needed to guard against creative attackers constantly seeking to violate their privacy. If users are concerned enough about their security after this exposure to take steps to enhance their Facebook privacy and avoid security issues such as Facebook cloaking, they should be easily encouraged to use Facebook's privacy settings.
This was first published in September 2012